Solved: LOCAL Server Group Account Lockout

securityengineering · ‎03-22-2023

Scenario: I'm on ASA 5555

Users/AAA > AAA Server Groups > LOCAL Server Group

Edit > Enable Local User Lockout > Maximum Attempts = 3

I can't find any info about how/where to unlock an account or if it happens automatically.

Rob Ingram · ‎03-22-2023

From ASA 9.17 - The ASA can lock out local users after a configurable number of failed login attempts. This feature did not apply to users with privilege level 15. Also, a user would be locked out indefinitely until an admin unlocked their account. Now, users will be unlocked after 10 minutes (from 9.17) unless an admin uses the clear aaa local user lockout command before then. Privilege level 15 users are also now affected by the lockout setting.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/asdm719/general/asdm-719-general-config/aaa-local.html

Unfortunately 9.17 is not available on the ASA 5555 hardware you are running, so you'd have to manually unlock the accounts.

View solution in original post

Rob Ingram · ‎03-22-2023

@securityengineering

From ASA 9.17 - The ASA can lock out local users after a configurable number of failed login attempts. This feature did not apply to users with privilege level 15. Also, a user would be locked out indefinitely until an admin unlocked their account. Now, users will be unlocked after 10 minutes (from 9.17) unless an admin uses the clear aaa local user lockout command before then. Privilege level 15 users are also now affected by the lockout setting.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/asdm719/general/asdm-719-general-config/aaa-local.html

Unfortunately 9.17 is not available on the ASA 5555 hardware you are running, so you'd have to manually unlock the accounts.